Fail2ban route option not working

[Lee Edwards]

Fail2ban route not working : fail2ban 0.9.2, A virgin install of centos 7 - plesk 12.5.30 #8
Fail2ban route working: fail2ban 0.8.3, centos 7 and a centos 6 server both with plesk 12.0.xx (lastest one don't remember the number)

I was using fal2ban route.conf to create jails like recidive-route and ssh-route in 12.0.xx plesk. It worked great blocking bad ip addresses with ip route.

Upgraded to Plesk 12.5 and fail2ban does not have a route.conf action.d file.

I created a new jail "recidive-route", using the standard recidive filter and added the basic route.conf file in the /etc/fail2ban/actions.d directory.

enabled recidive-route (new jail).

The fail2ban.log file has entries that the jail recidive-route has found ip address to block but ip address are not blocked. ip route cmd does not show any blocked ip addresses.

Swap back to using recidive jail (disable recidive-route, enable recidive) and all the ip addresses are blocked in the ip tables -L just like it should be done.

Anyone know anything about route.conf issues and why it was not included in the plesk 12.5 upgrade ?
Any suggestions to make it work?

thank you.

 

[UFHH01]

Hi Lee Edwards,

we need some more informations to investigate the issue.

First, please post your specific "recidive-route" jail.
Second, please consider to set another log - level ( DEBUG ) at "/etc/fail2ban/fail2ban.conf", so that Fail2Ban logs more informations, which you then can investigate ( logtarget = /var/log/fail2ban.log ). If you need help with your log - investigations, please consider to post the corresponding log - file.

 

[Lee Edwards]

Enabling loglevel = DEBUG resulted in this error: I commented it back out after this error showed up in ui of plesk->fail2ban

Internal error: f2bmng failed: ERROR:f2bmng:File contains no section headers. file: /etc/fail2ban/fail2ban.conf, line: 9 'loglevel = DEBUG\n'
Message f2bmng failed: ERROR:f2bmng:File contains no section headers. file: /etc/fail2ban/fail2ban.conf, line: 9 'loglevel = DEBUG\n'
File Agent.php
Line 217
Type PleskUtilException


route.conf

# Fail2Ban configuration file
#
# Author: Michael Gebetsroither
#
# This is for blocking whole hosts through blackhole routes.
#
# PRO:
# - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
# - It's FAST for very large numbers of blocked ips.
# - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
# - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
# - No additional software required beside iproute/iproute2
#
# CON:
# - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts

[Definition]
actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>

[Init]

# Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING
blocktype = unreachable

 

[Lee Edwards]

[recidive-route]
enabled = true
filter = recidive
action = route[name=recidive-route]
logpath = /var/log/fail2ban.log
bantime = 604800
maxretry = 5

 

[Lee Edwards]

Enabled debug incorrectly but when I do the log is justed filled with:
2015-11-03 10:09:37,232 fail2ban.datedetector [4684]: DEBUG Got time 1437193756.000000 for "u'Sat Jul 18 00:29:16 2015'" using template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,234 fail2ban.datedetector [4684]: DEBUG Matched time template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,234 fail2ban.datedetector [4684]: DEBUG Got time 1446397545.000000 for "u'Nov 1 12:05:45'" using template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,234 fail2ban.datedetector [4684]: DEBUG Got time 1446397589.000000 for "u'2015-11-01 12:06:29,028'" using template Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
2015-11-03 10:09:37,234 fail2ban.datedetector [4684]: DEBUG Matched time template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,235 fail2ban.datedetector [4684]: DEBUG Got time 1446555769.000000 for "u'03/Nov/2015:08:02:49 -0500'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2015-11-03 10:09:37,235 fail2ban.datedetector [4684]: DEBUG Matched time template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,235 fail2ban.datedetector [4684]: DEBUG Matched time template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2015-11-03 10:09:37,235 fail2ban.datedetector [4684]: DEBUG Got time 1446395161.000000 for "u'Nov 1 11:26:01'" using template (?AY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?

Turned debug off

 

[Lee Edwards]

Sorry for the confusion.
It looks like it is working now. When I changed the jail [recidive-route] to 2 retrys instead of 5 several entries in ip route shoed up. So I was not waiting long enough for 5 to happen in the span of time.

This is solved.